<?php
/*
  This file is part of Open-Doors.

  Open-Doors is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  
  Open-Doors is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with Open-Doors.  If not, see <http://www.gnu.org/licenses/>.

  Authors: Rune Thorbek & Araz B. Makoo
*/ 


function sec_session_start() {
  $session_name = 'open_doors_session_id';
  $secure = false;
  $httponly = true;
 
  ini_set('session.use_only_cookies', 1);
  ini_set('session.gc_maxlifetime', '29000');
  $cookieParams = session_get_cookie_params();

  //  session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
  session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
  session_name($session_name);
  session_start();
  //session_regenerate_id(true);
}

function login($username, $password, $mysqli) {
  if ($stmt = $mysqli->prepare("SELECT id, email, password, salt FROM members WHERE username = ? LIMIT 1")) { 
    $stmt->bind_param('s', $username);
    $stmt->execute();
    $stmt->store_result();
    $stmt->bind_result($user_id, $email, $db_password, $salt);
    $stmt->fetch();
    $password = hash('sha512', $password.$salt);
 
    if($stmt->num_rows == 1) {
      if(checkbrute($user_id, $mysqli) == true) { 
	return false;
      } else {
	if($db_password == $password) {
	  $user_browser = $_SERVER['HTTP_USER_AGENT'];
	  
	  $user_id = preg_replace("/[^0-9]+/", "", $user_id);
	  $_SESSION['user_id'] = $user_id; 
	  $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
	  $_SESSION['username'] = $username;
	  $_SESSION['login_string'] = hash('sha512', $password.$user_browser);
	  return true;    
	} else {
	  $now = time();
	  $mysqli->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')");
	  return false;
	}
      }
    } else {
      return false;
    }
  }
}

function checkbrute($user_id, $mysqli) {
  $now = time();

  // 1 minute security
  $valid_attempts = $now - (60); 
  
  if ($stmt = $mysqli->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > '$valid_attempts'")) { 
    $stmt->bind_param('i', $user_id); 
    $stmt->execute();
    $stmt->store_result();

    // 1000 attempts are within one minute is no security :-)
    if($stmt->num_rows > 1000) {
      return true;
    } else {
      return false;
    }
  }
}

function login_check($mysqli) {
  if(isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) {
    $user_id       = $_SESSION['user_id'];
    $login_string  = $_SESSION['login_string'];
    $username      = $_SESSION['username'];
    
    $user_browser  = $_SERVER['HTTP_USER_AGENT'];
 
    if ($stmt = $mysqli->prepare("SELECT password FROM members WHERE id = ? LIMIT 1")) { 
      $stmt->bind_param('i', $user_id);
      $stmt->execute();
      $stmt->store_result();
      
      if($stmt->num_rows == 1) {
	$stmt->bind_result($password);
	$stmt->fetch();
	$login_check = hash('sha512', $password.$user_browser);
	if($login_check == $login_string) {
	  return true;
	} else {
	  return false;
	}
      } else {
	return false;
      }
    } else {
      return false;
    }
  } else {
    return false;
  }
}

?>